What should we do when your data is leaked online?

How long should we wait before publishing an article about a data leak?

  • Immediately

    Votes: 86 60.1%
  • Within 24 hours

    Votes: 23 16.1%
  • Within 48 hours

    Votes: 13 9.1%
  • When the company whose clients’ data was leaked approves

    Votes: 17 11.9%
  • Never

    Votes: 4 2.8%

  • Total voters
    143

rpm

Admin
Staff member
Joined
Jul 22, 2003
Messages
66,806
Reaction score
5,057
Location
Johannesburg
If MyBroadband is alerted to an online data leak, where sensitive data of South Africans is available online, how long should we wait until we publish an article about it?
 
Only wait as long as it takes to gather the facts (as opposed to speculation).
 
I think you should give the company concerned at least time to secure the leaky system and take down (if possible - probably not) the leaked data before opening the floodgates.
Publication should be a last resort to force the company to do something about it if they seem unwilling.

I have uncovered security issues in some ISPs' systems before, and have somehow managed NOT to run to the press in order to get it rectified. Whether those companies choose to inform their clients is, I believe, their ethical call.
In the recent case, I believe MyBB was used to attempt to discredit a company, and you guys need to be VERY aware of this kind of thing. You could cause more harm than good.
 
I think you should give the company concerned at least time to secure the leaky system and take down (if possible - probably not) the leaked data before opening the floodgates.
Publication should be a last resort to force the company to do something about it if they seem unwilling.

I have uncovered security issues in some ISPs' systems before, and have somehow managed NOT to run to the press in order to get it rectified. Whether those companies choose to inform their clients is, I believe, their ethical call.
In the recent case, I believe MyBB was used to attempt to discredit a company, and you guys need to be VERY aware of this kind of thing. You could cause more harm than good.
Surely then it's a journalist's duty to expose unethical decisions?

Shouldn't companies have contingency plans already in place for when, not if, data leaks?
 
None of the above.

As magicdude4eva posted in the current leak thread, the leaked data does not only impact one company (the hacked company). Normally other companies will also be compromised and they will also need to be informed, a task that should be undertaken by the "hacked" company.

Hence the answer is not so simple as immediately or 12 hours, 24 hours, etc.

This actually raises a very good opportunity to ask all the ISPs what they would prefer to happen? Also whether there is a standard operating procedure in case of such personal data leaks? Has ISPA or ICASA or any other body set out a guideline detailing what steps should be taken in case of such events?

Intriguing...
 
Last edited:
Surely then it's a journalist's duty to expose unethical decisions?

Shouldn't companies have contingency plans already in place for when, not if, data leaks?
Absolutely. But, as I was not a client of the ISPs concerned I am not able to verify whether in fact they did inform potentially impacted customers.
Should I then, after the flaw was fixed, have published it?

IMHO, it's not right to publish the info before the company concerned has had a chance to mitigate the damage.

MickeyD has a good point. Perhaps there needs to be some kind of standard procedure where companies can subscribe to a closed mailing list where this kind of data loss is disclosed - confidentiality a provision of membership etc...?
 
(oh and by mitigate, I do not mean cover up.)
 
MickeyD has a good point. Perhaps there needs to be some kind of standard procedure where companies can subscribe to a closed mailing list where this kind of data loss is disclosed - confidentiality a provision of membership etc...?

Keep in mind the leaked information is in most likelihood immediately available to the sort of people you really don't want to have it. Someone posted the data to mybb, haveibeenpwned.com, and who knows where else. Clients need to be made aware of this asap, not when the company involved deems fit. Sure, in this case Crystalweb seems to have done the right thing, but what if they hadn't?
 
Keep in mind the leaked information is in most likelihood immediately available to the sort of people you really don't want to have it. Someone posted the data to mybb, haveibeenpwned.com, and who knows where else. Clients need to be made aware of this asap, not when the company involved deems fit.

For sure. But is the media the right channel? Since suddenly a lot more people would have access to it... Temptation and all that?
 
For sure. But is the media the right channel? Since suddenly a lot more people would have access to it... Temptation and all that?

How else do you disseminate the info quickly and as broadly. I'm sure the readership of mybb news exceeds the forum by a long shot.
 
Immediately.

In this specific case CW alerted me timeously via email with new account details but I'm not happy that the portal is still down and I'm forced to use live chat if I want to change my password.
 
How else do you disseminate the info quickly and as broadly. I'm sure the readership of mybb news exceeds the forum by a long shot.

Hence the need for some sort of standard procedure/subscription model dissemination method?
 
Whichever media outlet receives the "tip off" also needs to determine whether the leak is of a malicious nature, i.e. there is a suspicion of direct intent to harm the company involved.

Is it their responsibility to notify SAPS of such information or should they immediately notify the relevant company and let them notify SAPS? If neither parties are of the mind to involve SAPS then they may as well publish it immediately and let the chips fall where they will.
 
Whichever media outlet receives the "tip off" also needs to determine whether the leak is of a malicious nature, i.e. there is a suspicion of direct intent to harm the company involved.
What about the immediate harm that befalls the client? Is that superseded by the desires of the company involved?
 
What about the immediate harm that befalls the client? Is that superseded by the desires of the company involved?

Clients should also take due care with their online details. Not victim-blaming here, but people should really take a good lesson away from this. Unique passwords per service!
 
So the problem is I cannot select an option on the Poll.

I think there should be a "security forum/ community" somewhere that needs to be advised immediately ( This is a group ALL large business belong to) and who can immediately assess the damage and then advise their clients directly if affected.

If such a group does not exist then it is high time it gets created.

Then the company directly affected should be informed, and once that is done and a reasonable time for publication is determined the data should be published.

The option that implies approval is the closest to what I would opt for, BUT I am not sure "approval" is the correct criteria. It does not allow for a company that does nothing. Then it is important to publish ...

PS: This is a topic which should be researched by someone, why not MYBB?
The purpose being to find out what best practice is -- we are not the first to go through such an event.
 
Last edited:
Clients should also take due care with their online details. Not victim-blaming here, but people should really take a good lesson away from this. Unique passwords per service!
I'm sure we both know people… friends, family, etc… who recycle passwords no matter what we tell them. :o
 
What about the immediate harm that befalls the client? Is that superseded by the desires of the company involved?
If it is a malicious attack then by the time that the hackers have tipped off the media (eg. mybb) they have already made those details available to the dark side. The hacked company has the easiest task; mitigate the risk and protect their customers from further harm (reset passwords, plug the leak, etc). It's the other companies involved that need to be informed to determine the impact of the leak on them and their customers (who are also customers of the hacked company).
 
If it is a malicious attack then by the time that the hackers have tipped off the media (eg. mybb) they have already made those details available to the dark side. The hacked company has the easiest task; mitigate the risk and protect their customers from further harm (reset passwords, plug the leak, etc). It's the other companies involved that need to be informed to determine the impact of the leak on them and their customers (who are also customer of the hacked company).

Do these third parties deserve to be informed before the client whose info was leaked?
 
Top
Sign up to the MyBroadband newsletter
X